The proposal—Senate Bill 561, introduced on February 25, 2019, by California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson—would amend the California Consumer Privacy Act (“CCPA”) to expand the scope of the consumer private right of action and to remove a notice-and-cure safe harbor from Attorney General enforcement.

The CCPA is due to become effective January 1, 2020. Among other things, the CCPA establishes a consumer right to request details from covered businesses about the collection of personal information, the purpose of such collection, and third parties with whom the information has been or may be shared. Covered businesses are also required to delete personal information upon request (subject to certain exceptions); must disclose certain information regarding their sale of consumer data; and must provide consumers the right to opt out of having their information sold, without discriminating against those who do opt out.

The CCPA applies to any business that (i) collects personal information about consumers, defined as natural persons who are California residents; (ii) does business in California; and (iii) meets at least one of three criteria: (a) has annual gross revenues exceeding $25 million; (b) buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices annually; or (c) derives 50 percent or more of its annual revenue from selling consumers’ personal information. Like Europe’s GDPR, the CCPA defines “personal information” broadly, although the definitions under the two rules are not identical, as the CCPA also encompasses information that can be linked to “household[s],” even if not to individual consumers.

In its current form, the CCPA provides a private right of action only for consumers whose nonencrypted personal information is stolen or leaked as a result of a business’s failure to implement and maintain reasonable security procedures and practices. Remedies available to consumers under the rule are the greater of actual damages or statutory damages of $100 to $750, but notice and a 30-day opportunity to cure must be provided to the business before a consumer may seek statutory damages. Violations of other provisions of the act are subject to enforcement only by the California Attorney General, who may bring an action for a civil penalty of up to $2,500 per violation or $7,500 per intentional violation. Actions by the Attorney General for violations of the act are also subject to a 30-day notice-and-opportunity-to-cure requirement.

Senate Bill 561 proposes the following changes to the CCPA:

Expanding the consumer private right of action to allow consumers to bring suit for any violation of the CCPA, rather than only for theft or leakage of personal information due to the failure to maintain reasonable security precautions;

Eliminating the 30-day notice-and-opportunity-to-cure requirement before the California Attorney General may bring an action for a violation (but leaving in place the 30-day cure period for the private right of action); and

Removing the California Attorney General’s obligation to provide guidance opinions in response to requests from businesses on CCPA compliance, such that the Attorney General would only be permitted (but not required) to publish materials providing “general” guidance on compliance.

If adopted, this amendment could substantially increase potential liability for businesses that violate the CCPA and eliminate some current safe harbors. The proposed amendment does not address other potential issues within the CCPA, including the breadth of its definition of “personal information” or the lack of a distinction between sensitive and nonsensitive personal information.

With the effective date of the CCPA less than one year away, covered businesses should already be active in preparing for compliance. Davis Polk partner Avi Gesser’s advice for preparation is featured in a Cybersecurity Law Report article on considerations for compliance plans and misconceptions surrounding the CCPA.

We will be monitoring updates to the CCPA closely here at the Davis Polk Cyber Blog and will post regularly on any significant developments.

The authors gratefully acknowledge the assistance of law clerk Stephen Rettger in preparing this entry.

]]>Alternative Data Goes Mainstream, and Gets Increased Attention from Regulatorshttps://www.dpwcyberblog.com/2019/02/alternative-data-goes-mainstream-and-gets-increased-attention-from-regulators/
Mon, 25 Feb 2019 12:35:00 +0000https://www.dpwcyberblog.com/?p=1105Continue Reading]]>In the last few years, we have seen a dramatic increase in the purchase and sale of alternative data—a shorthand for big data sets, such as satellite images of parking lots, drug approvals, credit card purchases, cellphone data on retail foot traffic, and construction permits. According to alternativedata.org, the alternative data industry is projected to be worth $350 million in 2020. The recent announcement by Bloomberg LP that it is offering a product that will give clients access to large volumes of alternative data shows the widespread use of this information in making investment decisions, which is causing hedge fund managers and institutional investors to seek even more untapped alpha-generating data sets. Not surprisingly, all this activity is attracting increased regulatory scrutiny.

One law that has been around for a while that applies to alternative data is the Gramm-Leach-Bliley Act (“GLBA”), which requires financial institutions to provide privacy disclosures when they share nonpublic personal information with nonaffiliated third parties. Accordingly, GLBA places some limits on financial institutions’ use of alternative data—such as what banks can do with their vast amounts of valuable personal loan or credit information. To comply with GLBA, banks generally anonymize or de-identify the information they have before selling it.

A new piece of legislation that will take these kind of obligations beyond financial institutions is the California Consumer Privacy Act (“CCPA”), which goes into effect in 2020. CCPA requires companies to obtain consent from customers before selling their personal data to third parties, but it expressly does not apply to consumer information that is de-identified. Neither GLBA nor CCPA provide any guidance as to what level of anonymization is sufficient. The concern comes from the increasing ability to use sophisticated algorithms that employ publicly available big data sets to re-identify certain kinds of anonymized data. We anticipate that the issue of how much de-identification is enough will be a subject of future regulatory guidance and litigation.

Another new regulatory development is Vermont’s data broker registry, which covers credit reporting agencies, but not retailers or hotels that sell customer data. The law has three main parts: (1) a registration requirement for data brokers, (2) a minimum data security standard for data brokers, and (3) a prohibition on fraudulent acquisition of certain types of data or use of such data to commit bad acts.

Proposed federal privacy laws, such as the CONSENT Act, may also limit the use of alternative data by requiring companies to obtain consent from customers before collecting and selling their personal data. This would be particularly important for smartphone applications that collect and sell information about consumers without disclosure or with disclosures that are buried in lengthy privacy policies that no one reads.

The most significant new regulatory action of alternative data has come from the New York State Department of Financial Services (“NYDFS”), which has been a leading regulator in cybersecurity. Earlier this year, the NYDFS issued “Insurance Circular Letter No. 1,” which gives specific guidance on the proper use of alternative data in the life insurance industry, in response to the prevalent use of alternative data in underwriting practices. Examples of data being used in assessing life insurance coverage include review of photos of individuals on social media, retail purchase history, and geographic location tracking. The Circular imposes two obligations on life insurers regulated by the NYDFS. First, insurers using alternative data must independently confirm that any given source of data “does not use and is not based in any way on race, color, creed, national origin, status as a victim of domestic violence, past lawful travel, or sexual orientation in any manner, or any other protected class.” Second, insurers using alternative data for the purposes of any adverse underwriting decision for any particular consumer must disclose to the consumer the details about all information on which the insurer relied to make the decision, including the specific sources of the alternative data.

As more businesses use more kinds of alternative data to assist in business decisions that affect consumers, an increase in regulation is inevitable. We expect that these new regulatory initiatives are just the first of many, and we will be discussing any important developments in this area here at the Davis Polk Cyber Blog.

]]>A New Safe-Harbor Approach to Cybersecurity Regulationhttps://www.dpwcyberblog.com/2018/12/a-new-safe-harbor-approach-to-cybersecurity-regulation/
Thu, 06 Dec 2018 14:21:29 +0000https://www.dpwcyberblog.com/?p=1065Continue Reading]]>Momentum is building for federal privacy legislation, with several different proposals circulating in Washington. Ohio’s new cybersecurity law offers an interesting approach for incentivizing companies to protect their customers’ personal data.

We have written previously on two competing models for cybersecurity regulation—“standards” versus “rules.” The standards-based approach, historically employed by the FTC and certain state laws, imposes broad, flexible requirements that mandate that a company establish a “reasonable” or “industry standard” cybersecurity program, without specifying how. By contrast, the rules-based approach to cybersecurity regulation, notably employed by the New York Department of Financial Services and the state of Massachusetts, favors concrete measures that a company must take to be deemed compliant, largely without regard to the company’s particular risks or characteristics. We have previously detailed the differences between these approaches; both encourage compliance primarily through punitive considerations, i.e., fear that failure to meet the regulatory obligations will result in an enforcement action (on top of whatever damage is caused by the breach).

The Ohio Data Protection Act (the “DPA”) is more of a “carrot” model. The DPA, which went into effect on November 2, 2018, establishes a limited safe harbor for organizations that suffer a data breach. Specifically, the DPA allows a covered entity to claim an affirmative defense to a tort action brought under Ohio laws or in Ohio courts, where a data breach is alleged to have resulted from the failure to implement reasonable information security controls. Ohio Rev. Code § 1354.02(D)(1). To qualify for the safe harbor, the cybersecurity program must take into consideration the size and complexity of the covered entity, the nature and scope of its activities, the sensitivity of the information to be protected, the cost of available protective measures, and the resources of the covered entity. Id. at § 1354.02(C). The DPA requires that cyber programs reasonably conform to an industry-recognized cybersecurity framework so as to protect the security and confidentiality of the information, protect against anticipated threats or hazards, and protect against unauthorized access or acquisition of data. Id. at § 1354.02(A), (B).

The DPA is certainly an interesting approach, but its immediate impact may turn out to be limited. First, the law only provides a protection under Ohio law or in Ohio courts, so it may be of little value to entities subject to regulation across many states. Second, the law only provides a defense against tort causes of action, offering no shelter against contractual or statutory claims. Finally, the Ohio law places a burden on the affected company to demonstrate the reasonableness of its cybersecurity program, which may require the affected company to participate in limited discovery and disclose sensitive details about its cybersecurity apparatus in and around the time of the breach—potential red meat for litigants as well as intrepid hackers.

Although Ohio’s safe harbor approach is new for cybersecurity laws, there is precedent for offering the maintenance of robust compliance programs as an affirmative defense. For example, the United Kingdom allows an “adequate procedures” defense against liability for alleged violations of the UK Bribery Act. Similarly, the Department of Justice has established policies promoting fine reductions, resolution without a monitor, and consideration of a declination to violators of the Foreign Corrupt Practices Act who implement an effective compliance program and demonstrate certain cooperation, remediation, and disgorgement requirements. Davis Polk has covered these policies in more detail here and here.

Federal preemption of state law has been one of the points of debate surrounding national cybersecurity or privacy legislation. Opponents of preemption argue that allowing states to make their own rules promotes experimentation with different approaches, and that it is too early to settle on one national model for data privacy and cybersecurity regulation when so much is still unknown and untested. The DPA’s incentive-driven approach shows that there are ideas to explore and test in determining the best regulatory framework. The effectiveness of the DPA will likely inform the ongoing debate and formulation of subsequent legislation. Davis Polk clients are encouraged to check out the Davis Polk Cyber Portal for tools to manage cybersecurity and privacy regulatory requirements, and to continue to follow the Davis Polk Cyber Blog for more coverage on this topic and other issues in data privacy and cybersecurity.

]]>Getting Rid of Old Data Is Becoming a Regulatory Requirementhttps://www.dpwcyberblog.com/2018/06/getting-rid-of-old-data-is-becoming-a-regulatory-requirement/
Wed, 27 Jun 2018 14:41:23 +0000https://www.cyberbreachcenter.com/?p=786Continue Reading]]>For years, the default setting at many companies was to keep electronic data indefinitely. Storage is cheap, there are legal risks associated with deleting data, and you never know when an email from 10 years ago is going to become important. Some companies have document management policies, but often they are not rigorously enforced or they are suspended whenever litigation arises. The result is that most companies have enormous amounts of old data and are generating significant amounts of additional data every day. As the cybersecurity and data privacy risks associated with having large volumes of extraneous data increase, regulators have started to require companies to get rid of data that they don’t need for business, regulatory or legal reasons. Here are some recent examples:

NYDFS – Starting on September 1, 2018, companies regulated by the New York Department of Financial Services’ cybersecurity rules are required to have a data minimization program that includes “policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information…that is no longer necessary for business operations or for other legitimate business purposes… except where such information is otherwise to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.”

GDPR – The EU’s new General Data Protection Regulations, which came into effect on May 25, 2018, requires the limitation of personal data to “what is necessary in relation to the purposes for which [such data] are processed.”

US State Laws – The newly enacted South Carolina Insurance Data Security Act, which is based on the model insurance law requires covered entities to “define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when no longer needed.” The Act becomes effective on January 1, 2019. In addition, the New York Attorney General recently released cybersecurity guidance for small businesses, which states, “Hackers can’t steal sensitive information if it’s not there. To limit the risks from an attack, delete customer or employee information files you no longer need.”

Although regulators are requiring data minimization programs, implementation remains tricky. Assuming that no one is going to actually review all of the thousands or millions of documents that are to be deleted, sorting documents that must be preserved for legal or regulatory purposes from those that can safely be deleted requires careful planning in order to be effective and not an enormous drain on resources. As discussed in our recent webcast on Cybersecurity and Data Management, recent cases under the Federal Rules of Civil Procedure on spoliation significantly reduce the risk of sanctions resulting from the accidental deletion of electronic materials that might be relevant to litigation. In addition, advances in data analytics and machine learning are creating opportunities for companies to responsibly delete large volumes of old data, without having to review each document to determine if it must be retained for litigation purposes or for some regulatory obligation. These issues, along with a step-by-step approach to responsible document deletion, are also discussed in the below webcast.

The Davis Polk Cyber Portal is now available to assist our clients in their efforts to maintain compliance with their cybersecurity regulatory obligations. If you have questions about the Portal, please contact cyberportal@davispolk.com.

The author gratefully acknowledges the assistance of Law Clerk Daniela Dekhtyar-McCarthy in preparing this entry

]]>New Breach Notification Regulations – More Requirements with Less Time to Respondhttps://www.dpwcyberblog.com/2018/06/new-breach-notification-regulations-more-requirements-with-less-time-to-respond/
Thu, 14 Jun 2018 12:17:58 +0000https://www.cyberbreachcenter.com/?p=774Continue Reading]]>Readers of our blog know that the NYDFS cybersecurity rules and the European GDPR are part of a trend in regulation towards onerous breach notification requirements with very short (i.e., 72-hour) deadlines. But there are other, less well-known examples.

Alabama and South Dakota recently passed data security statutes, which means there are now breach notification obligations for all 50 states. Alabama’s Data Breach Notification Act, effective on June 1, has a 45-day notification deadline, while South Dakota’s law, effective on July 1, requires notification to affected individuals within sixty days of discovery of a data breach.

South Carolina also recently expanded notification obligations by becoming the first state to enact a version of the Insurance Data Security Model Law. This law requires all licensees of the South Carolina Department of Insurance to notify the chief insurance regulatory official for the relevant state (here, South Carolina) within 72 hours after they determine that a cybersecurity event has occurred. More information about the Insurance Data Security Model Law is available in our previous post.

Other states are amending their statutes to shorten their breach notification requirements. For example, in Colorado, HB 18-1128 (the “Privacy Law”) will take effect on September 1, 2018, and provides for notification “in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach occurred.” Similarly, Oregon recently amended its data breach notification law, effective June 2, to require that notification occur no later than forty-five days after discovery. Canada and Singapore have also recently passed new cybersecurity regulations. In Canada, the Digital Privacy Act, set to go into effect on November 1, 2018, requires businesses that experience data breaches to notify affected individuals and Canada’s Privacy Commissioner as soon as feasible. And the Singapore law includes criminal penalty for those who fail to comply with the regulations.

As we have indicated before, we believe that the trend towards more onerous breach notification obligations, with shorter and shorter deadlines (especially for notification to regulators) is likely to continue unabated for the foreseeable future.

The Davis Polk Cyber Portal has many resources to help clients quickly assess their various breach notifications obligations before and during a cyber event. The Portal is frequently updated to reflect changes in cybersecurity regulations and guidance across jurisdictions in real time. If you have questions about the Portal, please contact cyberportal@davispolk.com.

The authors gratefully acknowledge the assistance of summer associate Alyssa Braver in preparing this entry.

]]>More Tough Penalties for Late Breach Notificationhttps://www.dpwcyberblog.com/2017/11/more-tough-penalties-for-late-breach-notification/
Fri, 03 Nov 2017 16:42:03 +0000https://www.cyberbreachcenter.com/?p=562Continue Reading]]>On Halloween, the New York and Vermont attorneys general obtained a $700,000 settlement from Hilton for, among other violations, late breach notification. Earlier this week, we noted that the Reserve Bank of India (“RBI”) imposed a $1 million USD fine on India’s Yes Bank for violating RBI’s 2 to 6 hour data breach notification requirement. So, as we have been predicting for some time, it seems that regulators are starting to step up enforcement and expectations in breach notification cases.

Hilton became aware of cyber breaches in February and July of 2015 but did not report them to consumers until November 2015. Under the terms of the settlement, Hilton must provide notice of future cyber incidents in accordance with the New York and Vermont statutes. Tellingly, although the NY statute provides that notice must be given in the “most expedient time possible and without unreasonable delay,” the New York Attorney General characterized Hilton’s obligation going forward as “immediate notice” in the press release describing the settlement.

The Hilton settlement is also interesting because, like with Equifax, it is another example of state attorneys general claiming that weak cybersecurity practices violate state deceptive practices laws by way of false representations that a company can securely maintain personal information.

One clear implication of these recent cases is that regulators are expecting companies to disclose cyber events more quickly. The New York Department of Financial Services requires covered entities to report certain data breaches within 72 hours. The insurance industry is poised to adopt a 72-hour notification rule, and the European Union’s General Data Protection Regulation will impose a similarly tight deadline for breach notice when it becomes effective in May 2018. And some companies are demonstrating that they can disclose quickly. For example, last month, it was reported that Disqus was able to provide notice within 24 hours of learning of a breach. So, we will not be surprised if state regulators start interpreting phrases like “most expedient time possible,” “without unreasonable delay,” and “as soon as possible” in the applicable cyber breach statutes to mean days, rather than weeks.

The Davis Polk Cyber Breach Portal, which will launch early next year, has many resources to help clients with notification statutes, including a simple, query-based tool that assists clients in quickly assessing their cyber breach notification obligations in 48 states and under HIPAA and the Gramm-Leach-Bliley Act. The Portal is currently being beta tested by a select group of clients.

]]>Davis Polk Memo – New York State Department of Financial Services Proposes New Cybersecurity Regulationshttps://www.dpwcyberblog.com/2016/10/davis-polk-memo-%e2%80%a2new-york-state-department-of-financial-services-proposes-new-cybersecurity-regulations/
Thu, 13 Oct 2016 20:38:15 +0000http://databreachresourcecenter.davispolkblogs.com/?p=78Continue Reading]]>We have issued a memo on recent proposed cybersecurity regulations by the New York State Department of Financial Services that would be more stringent than existing federal requirements for certain financial entities. The memo highlights similarities and differences between the proposed regulations and federal regulations and guidance.